HackTricks
Orodha ya Ukaguzi ya APK za Android
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Jifunze Misingi ya Android
- Basics
- Dalvik & Smali
- Entry points
- Activities
- URL Schemes
- Content Providers
- Services
- Broadcast Receivers
- Intents
- Intent Filter
- Other components
- How to use ADB
- How to modify Smali
Uchambuzi wa Statiki
- Check for the use of obfuscation, checks for noting if the mobile was rooted, if an emulator is being used and anti-tampering checks. Soma hii kwa maelezo zaidi.
- Programu nyeti (kama bank apps) zinapaswa kuhakiki ikiwa simu ime-rooted na kuchukua hatua zinazofaa.
- Tafuta interesting strings (passwords, URLs, API, encryption, backdoors, tokens, Bluetooth uuids…).
- Toa umakini maalum kwa firebase APIs.
- Soma manifest:
- Angalia kama application iko katika debug mode na jaribu “exploit” hiyo.
- Angalia kama APK inaruhusu backups
- Exported Activities
- Unity Runtime: exported UnityPlayerActivity/UnityPlayerGameActivity with a
unityCLI extras bridge. Test-xrsdk-pre-init-library <abs-path>for pre-initdlopen()RCE. See Intent Injection → Unity Runtime. - Content Providers
- Exposed services
- Broadcast Receivers
- URL Schemes
- Je, application saving data insecurely internally or externally?
- Je, kuna password hard coded or saved in disk? Je, app inatumia using insecurely crypto algorithms?
- Je, maktaba zote zimetengenezwa kwa kutumia PIE flag?
- Usisahau kwamba kuna bunche of static Android Analyzers ambazo zinaweza kukusaidia sana wakati wa awamu hii.
-
android:exportedmandatory on Android 12+ – misconfigured exported components can lead to external intent invocation. - Pitia Network Security Config (
networkSecurityConfigXML) kwacleartextTrafficPermitted="true"au overrides maalum za domain. - Tafuta wito kwa Play Integrity / SafetyNet / DeviceCheck – bainisha kama custom attestation inaweza ku-hook/ku-bypass.
- Kagua App Links / Deep Links (
android:autoVerify) kwa intent-redirection au matatizo ya open-redirect. - Tambua matumizi ya WebView.addJavascriptInterface au
loadData*()ambayo yanaweza kusababisha RCE / XSS ndani ya app. - Chambua cross-platform bundles (Flutter
libapp.so, React-Native JS bundles, Capacitor/Ionic assets). Zana maalumu: flutter-packer,fluttersign,rn-differ- Skana maktaba za native za wahusika wa tatu kwa CVEs zinazojulikana (mfano, libwebp CVE-2023-4863, libpng, n.k.).
- Tathmini sheria za SEMgrep Mobile, Pithus na matokeo ya scan yenye msaada wa AI ya MobSF ≥ 3.9 kwa uvumbuzi zaidi.
- Kagua OEM ROM add-ons (OxygenOS/ColorOS/MIUI/OneUI) kwa exported ContentProviders za ziada zinazoweza kupita permissions; jaribu
content query --uri content://com.android.providers.telephony/ServiceNumberProviderbilaREAD_SMS(mfano, OnePlus CVE-2025-10184).
Uchambuzi wa Dynamic
- Andaa mazingira (online, local VM or physical)
- Je, kuna unintended data leakage (logging, copy/paste, crash logs)?
- Confidential information being saved in SQLite dbs?
- Exploitable exposed Activities?
- Exploitable Content Providers?
- Exploitable exposed Services?
- Exploitable Broadcast Receivers?
- Je, application inatuma taarifa kwa clear text/ikitegemea algorithms dhaifu (MitM inawezekana)?
- Inspect HTTP/HTTPS traffic
- Hii ni muhimu sana, kwa sababu ukikamata traffic ya HTTP unaweza kutafuta udhaifu wa kawaida wa Web (Hacktricks ina taarifa nyingi kuhusu Web vulns).
- Kagua uwezekano wa Android Client Side Injections (labda static code analysis itasaidia hapa)
- Frida: Just Frida, use it to obtain interesting dynamic data from the application (maybe some passwords…)
- Testi kwa Tapjacking / Animation-driven attacks (TapTrap 2025) hata kwenye Android 15+ (hakuna ruhusa ya overlay inahitajika).
- Jaribu overlay / SYSTEM_ALERT_WINDOW clickjacking na Accessibility Service abuse kwa escalation ya privileges.
- Angalia kama
adb backup/bmgr backupnowbado zinaweza kudump data za app (apps ambazo zilisahau kuzimaallowBackup). - Chunguza kwa Binder-level LPEs (mfano, CVE-2023-20963, CVE-2023-20928); tumia kernel fuzzers au PoCs ikiwa zinaidhinishwa.
- Ikiwa Play Integrity / SafetyNet inatekelezwa, jaribu runtime hooks (
Frida Gadget,MagiskIntegrityFix,Integrity-faker) au replay kwenye network. Toleo za hivi karibuni za Play Integrity Fix (≥17.x) zina embedplaycurl—zingatia kombinisho za ZygiskNext + PIF + ZygiskAssistant/TrickyStore ili kupata tena DEVICE/STRONG verdicts. - Instrument kwa zana za kisasa:
- Objection > 2.0, Frida 17+ (Android 16 support, ART offset fixes), NowSecure-Tracer (2024)
- Dynamic system-wide tracing with
perfetto/simpleperf. - Kwa bug za OEM telephony/provider (mfano, OxygenOS CVE-2025-10184), jaribu permission-less SMS read/send kupitia
contentCLI au in-appContentResolver; jaribu blind SQLi katikaupdate()kutoa rows.
Some obfuscation/Deobfuscation information
Marejeo
- CVE-2025-59489 – Arbitrary Code Execution in Unity Runtime (blog)
- Rapid7: CVE-2025-10184 OnePlus OxygenOS Telephony provider permission bypass
- TapTrap animation-based tapjacking research (TU Wien)
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
Jifunze na fanya mazoezi ya GCP Hacking:Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.